CVE-2023-41104

libvmod-digest before 1.0.3, as used in Varnish Enterprise 6.0.x before 6.0.11r5, has an out-of-bounds memory access during base64 decoding, leading to both authentication bypass and information disclosure; however, the exact attack surface will depend on the particular VCL (Varnish Configuration Language) configuration in use.

Published: Aug 23, 2023
Updated: Aug 29, 2023
CVE: CVE-2023-41104
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWEs:

CWE-119

Affected Software
References

Software	From	Fixed in
varnish-software / vmod_digest	-	1.0.3
varnish-software / varnish_enterprise	6.0.11	6.0.11.x
varnish-software / varnish_enterprise	6.0.11-r1	6.0.11-r1.x
varnish-software / varnish_enterprise	6.0.11-r2	6.0.11-r2.x
varnish-software / varnish_enterprise	6.0.11-r3	6.0.11-r3.x
varnish-software / varnish_enterprise	6.0.11-r4	6.0.11-r4.x
varnish-software / varnish_enterprise	6.0.0	6.0.11

https://docs.varnish-software.com/security/VSV00012/
https://github.com/varnish/libvmod-digest/releases/tag/libvmod-digest-1.0.3
https://www.varnish-cache.org/security/VSV00012.html

Vulnerability Database

289,599

CVE-2023-41104